Skip to content

Changes to application authorizations, groups, roles, and tenants take only effect after re-login #34698

New issue
New issue
Closed
Bug
0 of 2 issues completed
#36718
Closed
Changes to application authorizations, groups, roles, and tenants take only effect after re-login#34698
Bug
0 of 2 issues completed
#36718
Assignees
maryarm
Labels
affects/8.8Issue is affecting 8.8 minor versionscomponent/identityRelated to the Identity component/teamkind/bugCategorizes an issue or PR as a buglikelihood/highA recurring issueseverity/midMarks a bug as having a noticeable impact but with a known workaroundversion:8.8.0-alpha8version:8.8.0-alpha8-rc1version:dryrun-8.8.0-alpha6-rc999
@ThorbenLindhauer

Description

@ThorbenLindhauer
ThorbenLindhauer
opened on Jul 2, 2025

Description

When a user logs in, we determine their associations once (membership in roles, groups, tenants; application authorizations) and put them into the web session.

When these associations change (e.g. user is removed from a group; authorizations change), then this is not reflected in this cached state. Accordingly, as long as the user's session is alive, the changes do not take effect for them.

Examples:

  • 1: Groups:
    • I am a member of a group
    • through that group I have the authorization to deploy processes
    • I am removed from the group
    • I can still deloy
  • 2: Authorized applications
    • I am assigned to Identity, Operate and Tasklist through an access authorization
    • The access to Identity is removed
    • I can still use Identity
  • 3: Authorized applications
    • Authorization checks are disabled for the cluster (leading to authorized applications being populated as *, reference)
    • I have otherwise no application access authorizations
    • I enable authorization checks and restart the cluster
    • I can still access all applications
    • Note: for this we need persistent sessions enabled, as it requires a cluster restart (e.g. on SaaS)

Current workaround: I need to re-login to obtain a new session, at which point my associations are re-evaluated

Steps to reproduce

See examples in description

Current behavior

  • User associations do not take effect

Expected behavior

  • User associations take effect either immediately or within a reasonable time (that may need to be visible to the end user)

Environment

SaaS & SM

Version

  • 8.8 since alpha5

Rootcause

  • See io.camunda.authentication.CamundaOAuthPrincipalServiceImpl.loadOAuthContext(Map<String, Object>) and related classes

Solution ideas

  • There are different options to solve this:
    • Accept as is (most likely not an option as this can lead to serious user confusion and poses a security issue)=
    • Document it (same reasoning as prior option)
    • Periodically refresh associations for a session; document and/or inform in the UI that changes only have full effect after a certain time; consider making this time configurable
    • Re-check on every request or on-demand when the values are used (probably not viable from a performance standpoint)

Dev -> QA handover

  • Resources:
  • Versions to validate:
  • Release version (in which version this feature will be released):

Links

Sub-issues

Metadata

Metadata

Assignees

Labels

affects/8.8Issue is affecting 8.8 minor versionscomponent/identityRelated to the Identity component/teamkind/bugCategorizes an issue or PR as a buglikelihood/highA recurring issueseverity/midMarks a bug as having a noticeable impact but with a known workaroundversion:8.8.0-alpha8version:8.8.0-alpha8-rc1version:dryrun-8.8.0-alpha6-rc999

Type

Bug

Projects

Quality Board

Status

Done

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions